JP2001051742A - Method and device for inspecting completeness of executable module and relative protection service provider module - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a method for monitoring the completeness of at least one of an executable module and a protection service provider(PSP) module by including a step, etc., for providing a code for making a cross-check on a symbiont module in a relative PSP module. SOLUTION: A step for providing a symbiont module constituting a PSP module and another module and a step for providing a code for making a cross-check on the symbiont module in the PSP module are included. Then the completeness of at least one of an executable module and the PSP module is monitored through inspection by the symbont module and the cross-check by the PSP module. For example, an application program 200 includes 1st and 2nd application DLLs 202 and 203, an executable module, an interface for a PSP 210, and a monitor/completeness checker 204.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

FIELD OF THE INVENTION The present invention relates to the field of detecting changes to digital information and, more particularly, to an executable module and its associated protection for providing a protected service function to the executable module. Service provider (protected service provide
r) Techniques for checking the integrity of (PSP) modules and the tamper-resistance of PSP modules
tance) techniques.

[0002]

2. Description of the Related Art There are computer applications of the type where certain operations are performed using certain data and one or both of the data and the operations must be kept secret. In general, this is not a problem. Most users simply use the application for its intended purpose and do not mind the secrets it contains. However, some users (i.e., "hackers") may not be able to use the application and its applications to either reveal internal secrets or modify the application in such a way as to perform restricted or prohibited actions. You may want to look into a component. In general, hackers typically use either static disassembly and analysis or raw debugging of the application of interest to learn the behavior of the application. Once mastered, hackers can change their behavior according to their intended purpose. In response, tamper-resistant techniques are often applied to applications to prevent these hacking attempts.

[0003] Various means can be used to make an application and its components tamper resistant.
One is to create a digital "fingerprint" or signature of the application and its binary information. During initialization and / or at run time, changes to the protected application can be detected via checking the digital fingerprint against the current binary state of the application. When such activity or change is detected, the protected application can intentionally fail in a manner that does not expose the secrets contained therein.

[0004]

Reliable means for detecting tampering activity are often difficult to implement and must become more complex as hackers' advanced knowledge increases. The present invention aims to satisfy this need.

[0005]

SUMMARY OF THE INVENTION Briefly summarized, the first is
In an aspect, a method is provided for monitoring the integrity of at least one of an executable module and an associated protection service provider (PSP) module, the method comprising:
The P module provides a protection service function to the executable module. The method includes providing a symbiotic module that constitutes another module with the PSP module for checking the integrity of at least one of the PSP module and the executable module, and cross-checking the symbiotic module. providing code for checking within the PSP module, wherein the checking by the symbiotic module and the cross-checking by the PSP module together monitor the integrity of at least one of the executable module and the PSP module. I do.

In another aspect, a method is provided for providing a protected service function to an executable module loaded in a memory, wherein the protected service function is subdivided into a first component and a second component. . This method includes:
Implementing a first component of the protection service function in a first executable module, and implementing a second component of the protection service function in a second executable module, the first executable module comprising: And the second executable module constitute another executable module.

In another aspect, a method is provided for providing a protection service function to a calling executable module, the method comprising a first component implemented in the first executable module and a second component provided in the first executable module. A protection service function subdivided into a first component and a second component, wherein the component is implemented in a second executable module and the first executable module and the second executable module are separate executable modules. And processing the first executable module to check the integrity of the second component; and, when the integrity of the second component is verified,
The second component to perform the second component of the protection service function
Starting the executable module; checking the integrity of the first component from the second executable module at the start of the second executable module; and checking the integrity of the first component when the integrity of the first component is verified. Process executable module,
Completing the protection service function by returning the result to either the first executable module or the calling executable module.

[0008] Systems and articles of manufacture corresponding to the above-described method are also described and claimed herein.

In other words, provided herein is a protection service associated with an executable module or providing a protection service function after loading the executable module into memory, eg, by an operating system loader. -Various techniques for performing an integrity check of an executable module of an application program, such as after a check of a provider (PSP) module. Disclosed is a separate monitor entity that includes an executable module separate from the code that includes the PSP module, which prevents the monitor entity from being easily detected or disabled, and therefore provides the application module with a tolerance. Increased tamper protection. A monitor entity (also referred to herein as a "symbiont module")
It runs with the PSP module and can be invoked either by an application containing an executable module or, for example, at initialization, by an operating system. Thus, as described further below, the monitor entity can be started in various ways and run independently within the operating system.

[0010]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Generally, the present invention is directed to a stand-alone software "monitor" that runs with an application to check the validity of the application, or more specifically, the executable modules of the application, while running. Suggest use of entity or symbiotic module. Although practicable within the application itself, symbiotic code can stand alone as a separate process or thread in the system, making debugging of the combined application more difficult.

[0011] In an enhanced embodiment, the protection service function provided to the executable module by the protection service provider (PSP) module can be subdivided into a first component and a second component; One component can be left in the PSP module and the second component can be implemented in the symbiotic module. Advantageously,
In this embodiment, the symbiotic module performs an integrity check on the PSP module, and the PSP module performs an integrity cross-check on the symbiotic module, thereby further assuring the effectiveness of the protection service function and permitting the protection service function. Not accessible will be more difficult.

The following terms are used in this specification.

Executable module--A collection of digital information that typically includes instructions and data that are executed by a computer processor. This set of information is
Often stored on a medium, such as a hard drive, as a "file" from which it is loaded into memory (or random access memory, RAM) and executed. Examples of executable modules include "executable files" (using common naming conventions) (files suffixed with .exe or .com), dynamically linked libraries (suffixed with .dll) and Device driver (suffixes are .vxd, .drv, .sys or .sys)
mpd), but is not limited thereto.

Digital Signature--A digital "fingerprint" of a collection of digital data (such as an entire executable module or a subsection). Digital signatures typically have the following properties to be useful: 1) Created by applying a simple, well-defined and repeatable process (usually a mathematical process) to a set of digital data. 2) Digital signatures are used for any part of a set of digital data that has changed.
The accuracy of change is extremely high. 3) For a digital signature to be valid, the probability of finding a sequence of digital data that yields the same digital signature as another sequence of digital data must be near zero. 4) Digital signatures have a relatively small size when compared to the size of the set of digital data to which the signature generation process normally applies. The signature generation process
From a very basic and easy-to-break method (such as checksums), the message digest 5 hash (MD
Note that even cryptographically strong and secure methods such as 5) can be varied.

Symbiotic module or monitor--its function periodically or continuously checks one or more executable modules or subsections of an executable module, and the module or subsection A stand-alone executable module or sub-section of an executable module that is to verify their integrity as they appear in memory (random access memory) or other locations. Optionally, the symbiotic module may also participate in calculations performed primarily by other executable modules that check integrity (ie, the symbiotic module may provide functionality as well as integrity checking). Yes), which allows the symbiosis to be more tightly coupled to the executable module being tested. A symbiotic executable and its integrity check can be performed in two modes: as a thread of independent execution, or as a function called from one or more executables it examines, thereby providing a thread of execution. Work within) can be implemented. In the latter case, communication with the symbiosis is via some other form of signaling mechanism known to those skilled in the art (eg, shared memory, semaphores, mutexes, etc.). Integrity checking involves the generation of a digital signature from digital data and instructions that make up an executable module or a subset of an executable module, followed by the signature and the same execution known to be of good integrity. It may need to be compared with a signature generated from the enabled module. The symbiosis module is
Other checks of the executable module or subsection can also be performed, and the "hacker" can query the operating system or check the attributes of the activity in the computer system to determine if the instructions or A determination can be made as to whether an attempt has been made to illegally observe, alter, or misuse the data. Such monitors typically inspect the image of the executable module as it appears in RAM, but the monitor does not monitor executable modules or subsections stored on media other than RAM, such as a hard drive or processor cache. It doesn't mean you can't inspect the image.

Protected Service Provider--an executable module or subsection of an executable module that contains instructions or data that are confidential, confidential or proprietary and are not intended to be published. Protection services
The provider provides a protection service function to an application including one or more executable modules.

Defensive action--when the integrity check reveals that the integrity of the protection service provider has been compromised or is about to be compromised, the creator or user of the protection service provider. Action taken at the discretion. This is, for example,
It may mean that the digital signature of the protection service provider has changed, that the debugger is active, or that other unauthorized or suspicious changes have been made in the system. Defense actions include suspension of protection service provider execution, notifying users that illegal activity has been detected, logging that illegal activity has been detected, and details of illegal activity at another location. Sending (if possible) transmissions, altering the instructions or data of the protection service provider to produce incorrect results (but continue execution), causing execution failures, rebooting the computer, Includes, but is not limited to, any combination of instructing the computer to turn off.

Referring now to the drawings, FIG. 1 is a block diagram illustrating a computer system 100 on which embodiments of the present invention may operate. This embodiment includes one or more application programs, for example, one of the application programs 200 is shown in FIG. Another type of application program 102 is a compiler 105 that includes an optimizer 106. The compiler 105 and the optimizer 106 are configured to convert a source program (such as the application program 102) into optimized executable code. More generally, the source program is converted into an optimized form and then into executable code. As part of this process, compiler 105 assigns a default load address for loading an executable module from data storage device 118 to a memory such as RAM 114.

Compiler 105 and Optimizer 1
06 operates on a computer platform 104 that includes a hardware unit 112. The hardware unit 112 includes one or more central processing units (CPUs) 116, a random access memory (R)
AM) 114 and an input / output interface (not shown). Micro-instruction code 110, such as a reduced instruction set, for example, may also be included on computer platform 104. Data storage device 118
Can be connected to the computer platform 104. Links,
A computer system 100 may be included to connect to one or more similar systems (not shown).

Operating system 108 coordinates the operation of various components of computer system 100. Such a computer system 10
0 is the IBM RISC System / 6000
(RISC System / 6000 is a trademark of IBM Corporation). However, those skilled in the art will readily appreciate that the concepts described below are applicable to different types of computer systems 100, whether stand-alone or networked.

As previously mentioned, FIG. 2 is a diagram illustrating one embodiment of an application program for using the concepts of the present invention. The application program 200 includes an application graphical user interface (GUI) 201, a first application dynamic link library (DLL) 202, and a second application DLL 203. In this example, application DLLs 202 and 203
Includes an interface between the executable module and the protection service provider 210, as well as a monitor / integrity checker 204. The protected service provider 210 can include a portion of the application or interface with the application, and in the latter case, the protected service provider can include the second application.

[0022] The protected service provider may include sensitive information, and in one embodiment, the protected service provider.
A provider implements tamper-resistant code according to the principles of the present invention. Application DLLs 202 and 203
Interfaces with the protection service provider 210, it is desirable to ensure that upon opening the protection service provider neither of these DLLs are modified due to possible misuse. Therefore, application DLLs 202 and 203
Can be checked as a prerequisite for access to the protection service provider and can be dynamically and periodically rechecked at runtime. As an example, a protection service provider may provide a digital video disk
A descrambler module for the player may be included, in which case the protection service function provided by the PSP module would include a descrambling function.

The monitor / integrity checker 204, also referred to herein as symbiotic code, is activated by a protection service provider or operating system and runs independently within the operating system (OS). Preferably, it includes a program. A monitor entity can be activated in a variety of ways, some of which are more robust than others.

An application can spawn a thread (or another process) to initiate independent execution of a monitor entity. For example, Wi
In the Windows operating system, there are multiple ways to start executing a code sequence in a separate thread or process. However, in this approach, the code of the monitor is actually loaded into memory at the same time as the executable module.

The symbiotic code can be created as a separately compiled program, device driver or service. In such an embodiment, the symbiotic code is actually started by the operating system, for example, at boot time. In a sense, the symbiotic code goes dormant, waiting for the initialization and execution of the application using the protected service provider, at which point the symbiotic code begins functioning. This technique is more powerful in that when the symbiotic code is introduced to be loaded at OS boot time, it never appears to be part of the application and is itself of little interest. The initial communication between the application and the symbiotic code includes device driver input / output control commands (IOCTL), shared memory, named pipes,
It can be done in multiple ways, including but not limited to the socket communication API.

In summary, application DLL 20
2 and 203 make function calls to the protected service provider 210 to access the protected service functions. The monitor / integrity checker 204 provides the integrity checking function to both the protection service provider 210 and the application DLLs 202 and 203, for example.
provide. In an alternative embodiment, protection service provider 210 provides application DLLs 202 and 20
3 as well as a cross checker for the monitor / integrity checker 204. An inter-process communication link may also exist between the protection service provider 210 and the monitor / integrity checker 204 in various embodiments of the present invention described further herein below.

Further, the monitor / integrity checker 204
(In one embodiment) is dedicated to the integrity check of the specific application for which the protection service provider provides the protection service function. This particular application is in memory and undergoes an integrity check during execution.
As mentioned earlier, the monitor / integrity checker 204
Can spawn independently of the application (eg, as a device driver loaded at operating system boot time).

FIG. 3 illustrates a flow diagram embodiment of an integrity cross-check performed by the PSP main module (ie, monitor / integrity checker 204) on the symbiotic code, and FIG. FIG. 4 illustrates a flow diagram embodiment of an integrity check performed by code. In this example, assume that the symbiotic code is running on a different thread than the thread executing the PSP module. Beginning with FIG. 3, the integrity check of symbiotic code, which can be performed within the routine operation flow 300 of the PSP main module, first determines whether a symbiotic thread is running (310). The symbiotic code assumes that it must be running to be valid and, if the symbiotic thread is not running, takes defensive action (320). If the thread is running, the PSP module performs an integrity check on the symbiotic code to check the PSP main module to determine if the symbiotic code is valid (340). If not, a defense is again taken (350).
Otherwise, the symbiotic code is running and valid, and the PSP continues the main operating flow.

As can be seen from FIG. 4, in one embodiment of the present invention, the symbiotic code performs an integrity check 355 from the background operational flow. This integrity check
A separate thread of execution, separate from the PSP module. The symbiotic code performs an integrity check on the PSP main module, including the code itself that checks the symbiotic code (365). Optionally, the symbiotic code is a PSP
The application x using the function can also be checked. The symbiotic code determines if the PSP module is valid (375), and if not,
Perform defense action (385). If it is valid,
After waiting (395) for a period of time, the symbiotic code can perform another integrity check of the PSP main module.

As an enhancement to the above-described monitoring approach, the present specification presents the concept of subdivision between multiple independent threads of execution of one or more protection service functions. Cross-check modules that are independent of each other should be more tamper-resistant. Thus, the protection service function can be divided into a plurality of threads of execution, each of which can perform an integrity check on at least one other module, with each module being critical or protected. Some of the features included. FIG. 5 shows one embodiment for implementing this concept.

First, the primary function of the protection service provider is determined (400) and one or more protection service functions are subdivided into multiple components (410). For example, the protection service function A is subdivided into a first component A 'and a second component A ". The first component A'
Is implemented in the PSP main module (420) and the second
Is implemented within the PSP symbiotic code (430). The integrity check code is implemented within the PSP main module, eg, within the first component A 'itself, within the symbiotic code. Implemented to check the integrity of the implemented second component A "(440). Similarly, the symbiotic code having the integrity check of the first component A ′ in the PSP main module, eg, from the second component A ″,
(450). In one embodiment, PS
P symbiosis can be implemented as a device driver that is loaded at operating system boot (460).

FIG. 6 is a pictorial diagram illustrating the concept of a protected service function subdivided according to one aspect of the present invention. The call for the protection service functions A, B, C,... F has the first component A ′, B ′, C ′,..., F ′ of the respective protection service functions A, B, C,. The main protection service provider module 500 that performs The protection service function, in one embodiment, comprises a first protection component from a second protection service provider module 510.
By performing a function call to a second component implemented within. As can be seen, the second protected service provider module 510 implements the second components A ", B", C ", ..., F". During the same period as the placement of the function call from the first component to the second component, the second component performs an integrity check on the first component, and the first component checks the integrity of the second component. Perform an inspection. As indicated by the dashed line, the primary protection service provider module 500 and the second protection service
Provider module 510 preferably constitutes a separate executable module. The second protected service provider module 510 used here includes:
A symbiotic code for the primary protection service provider module 500 is included. In addition, although described herein with respect to the primary protection service provider module 500 and the second protection service provider module 510, the concepts presented are straightforward by those skilled in the art between three or more separate executable modules. Can be implemented.

FIG. 7 is a flowchart representing one embodiment for performing combined protection service function subdivision and integrity checking in accordance with the principles of the present invention. The PSP main module is called for the protection service function A by the executable module of the application x (600). The PSP main module performs a part of the function A (that is, the first component A ′) and, at the same time, checks the integrity of the second component A ″ code present in the symbiotic module (610). 2 component A "
It is determined whether the code integrity is correct (62
0) If not correct, defensive action is taken (63)
0). Assuming that the integrity of the second component is correct, a call is made to the symbiotic module for completion of protection service function A (ie, execution of second component A ") (only explicit calls, symbiotic Receives a signal to start execution in another way) (640).

The called symbiotic code checks the integrity of the first component A 'in the PSP main module (65).
0). The process determines whether the code integrity of the first component A 'is correct (660), otherwise a defense action is also taken (670). First
If the integrity of component A 'is correct, the code of the second component A "is executed and the result is returned to the PSP main module (680). The PSP main module sends the result of the protection service function call to the application. x (6
90).

In summary, those skilled in the art will appreciate from the above description that the action of the monitor / integrity checker (ie, symbiotic code) on the application itself is any or all of the following:

The monitor performs a periodic signature analysis on the memory area of the application itself. This helps detect unauthorized changes in the application, either before loading or while running. The former detection helps prevent "black box" attacks where the application is statically modified to perform unauthorized operations ("permanent" storage, usually in a hard drive). The latter is useful for detecting some debugging activity (for example, setting a breakpoint in an application actually
The binary signature of the image changes).

The monitor performs some of the protected computations of the application. Thus, disabling the monitor entity will "break" the application and prevent it from functioning properly.

The application and / or the monitor include and execute calls to each other that are unnecessary, whose calculations are detours or difficult to follow, to distract possible observers. Can be.

The monitor verifies that the call from the application is actually from an address range (in memory) where the application must or must be present, and vice versa Is also performed.

The application can also perform an integrity check (digital signature or checksum) on the monitor entity.

The monitor examines an operating system element separate from the application itself to detect unauthorized debugging operations.

If the monitor detects an incorrect operation of the application itself or a change in the signature, the monitor disables the application or uses an incorrect debug operation to end the unwanted activity. Independent actions can be taken to disable or possibly reboot or otherwise halt the system. Alternatively, the monitor can override the calculation without explicitly notifying the hacker that this action has been detected. The response to an attack can be changed from occurrence to occurrence, ie, the response can be unpredictable, which makes the application / monitor pair more difficult to hack.

If some form of network connection is available, the monitor can also report the detected activity to an external observer. This technique is useful when an application needs data from a server on the Internet (or its function is to access protected data). In this case, reporting of fraudulent activity can be used to prevent an attacker from subsequently accessing server data.

Note that the entire application may consist of multiple execution entities (eg, device drivers, processes, threads). Similarly, the monitor may be composed of a plurality of execution entities. The key is that the application and monitor are separated and the monitor is "dedicated" to that application.

For example, the invention may be included in an article of manufacture (eg, one or more computer program products) having, for example, computer usable media. The media embodies therein, for example, computer readable program code means for providing and promoting the features of the present invention. The article of manufacture can be included as part of a computer system or sold separately.

Further, it is possible to provide at least one machine readable program storage device that specifically implements a program of at least one instruction executable by a machine to perform the functions of the present invention. .

The flow diagrams herein are provided as examples. There may be variations to these figures or to the steps (or operations) described herein that do not depart from the spirit of the invention. For example, in some cases, steps can be performed in a different order, adding steps,
Can be deleted or modified. All of these variations are considered a part of the claimed invention.

In summary, the following matters are disclosed regarding the configuration of the present invention.

(1) A method for monitoring the integrity of at least one of an executable module and an associated protection service provider (PSP) module, the PSP module providing a protection service to the executable module. Providing a function, and (i) providing a symbiotic module constituting another module with the PSP module for checking the integrity of at least one of the PSP module and the executable module; (ii) ) Providing code for cross-checking the symbiotic module within the PSP module, wherein the inspection by the symbiotic module and the cross-check by the PSP module include:
Monitoring the integrity of at least one of the executable module and the PSP module together, providing the code. (2) the protection service function of the PSP module is divided into a first component and a second component, and the method further implements the first component of the protection service function in the PSP module; And performing the second component of the protection service function in the symbiotic module. (3) The disabling of the symbiotic module is caused by the PSP
Disabling the protection service function provided by the module to the executable module (2).
The method described in. (4) the protection service function includes one of a plurality of functions provided to the executable module by the PSP module, and the method further includes at least some of the plurality of functions. Subdivided into a first component and a second component, and for each of the at least some of the functions, implementing the first component in the PSP module and replacing the second component with the Performing in a symbiotic module. (5) The step of providing the symbiotic module includes:
The method of (1) above, comprising loading the symbiotic module independently of loading the PSP module. (6) wherein the executable module is processed in a system, and the step of loading the symbiotic module comprises:
Loading the symbiotic module during initialization of the system, followed by loading the PSP module for the same period of time as the protection service function required by the executable module.
The method according to the above (5). (7) The method according to (1), wherein the PSP module further includes code for monitoring the integrity of the executable module. (8) A method for providing a protection service function to an executable module loaded in a memory, the method further comprising: subdividing the protection service function into a first component and a second component; Implementing a first component in a first executable module and implementing the second component of the protection service function in a second executable module, wherein the first executable module and the A method wherein the second executable module comprises separate executable modules. (9) The first executable module includes a protection service
The method of claim 8, including a provider module, wherein the second executable module includes a symbiotic module, and wherein the symbiotic module is loaded separately from loading the protected service provider module. (10) integrating code for checking the integrity of the symbiotic module into the protection service provider module; and copying the code for checking the integrity of the protection service provider module to the symbiosis module. (9). The method according to (9), further comprising: (11) The method according to (10), further comprising introducing the symbiotic module as a device driver loaded when an operating system is booted, wherein the operating system supervises execution of the executable module. The described method. (12) The above (8), wherein the second executable module supplies a result to the first executable module, and the first executable module provides the protection service function to the executable module. the method of. (13) A method for providing a protection service function to a caller executable module, the method comprising: providing the protection service function subdivided into a first component and a second component. One component is implemented in a first executable module and the second component is a second component.
The providing step being performed in an executable module, wherein the first executable module and the second executable module are separate executable modules;
Processing the first executable module to check the integrity of the second component; and executing the second component of the protection service function when the integrity of the second component is verified. Starting the second executable module to check the integrity of the first component from the second executable module when starting the second executable module; Completing the protection service function by processing the second executable module and returning a result to either the first executable module or the calling executable module when the integrity of the second executable module is verified. And a method comprising: (14) If the second component fails the integrity check, perform a defense action in response thereto, and if the first component fails the integrity check, perform a defense action in response thereto The method according to (13) above. (15) A system for monitoring the integrity of at least one of an executable module and an associated protection service provider (PSP) module, wherein the PSP module provides a protection service function to the executable module. Means for providing a symbiotic module that constitutes another module with the PSP module for checking the integrity of at least one of the PSP module and the executable module; and Means for providing code for cross-checking a symbiotic module, comprising: testing with the symbiotic module and the PS
Said means for cross checking by a P module together monitoring the integrity of at least one of said executable module and said PSP module. (16) The protection service function of the PSP module is divided into a first component and a second component, and the system further implements the first component of the protection service function in the PSP module. And a means for implementing the second component of the protection service function in the symbiotic module. (17) The system according to (16), further comprising: means for disabling the protection service function provided to the executable module by the PSP module when disabling the symbiotic module. . (18) The protection service function includes one of a plurality of functions provided to the executable module by the PSP module, and each of at least some of the plurality of functions is a second function. Subdivided into one component and a second component, wherein the system further implements the first component in the PSP module for each of the at least some of the functions and associates the second component with the symbiotic component. The system of claim 15, including means for implementing in a module. (19) The above (15), wherein the means for providing the symbiotic module includes means for loading the symbiotic module independently of loading the PSP module.
System. (20) the executable module is supervised by an operating system, and the means for loading the symbiotic module comprises: means for loading the symbiotic module during initialization of the operating system; Means for loading said PSP module at the same time as said protection service function required by said executable module. (21) the PSP module further includes code for monitoring the integrity of the executable module;
The system according to the above (15). (22) A system for checking the integrity of at least one of an executable module and an associated protection service provider (PSP) module, wherein the PSP module provides a protection service function to the executable module. And a computing unit adapted to implement a symbiotic module for checking the integrity of at least one of the PSP module and the executable module, wherein the symbiotic module comprises:
Including the computing unit, which constitutes another module from the PSP module, wherein the computing unit further comprises:
Adapted to implement code for cross-checking the symbiotic module within the PSP module;
A system wherein inspection by the symbiotic module and cross-check by the PSP module together monitor the integrity of at least one of the executable module and the PSP module. (23) A method for providing a protection service function to a caller executable module loaded in a memory, wherein the protection service function includes a first component and a second component.
Means for sub-dividing into components and implementing the first component of the protection service function in a first executable module, and the second component of the protection service function in a second executable module Means for implementing, said first executable module and said second executable module comprising separate executable modules; and a means for implementing. (24) The first executable module includes a protected service provider module, the second executable module includes a symbiotic module, and the symbiotic module is loaded separately from the protected service provider module. , The system according to (23). (25) means for integrating code for checking the integrity of the symbiotic module with the protection service provider module, and code for checking the integrity of the protection service provider module; Means for integrating into a symbiotic module. (26) The apparatus according to (25), further comprising means for installing the symbiotic module as a device driver loaded when an operating system is booted, wherein the operating system supervises execution of the executable module. ). (27) Means for providing a result from the second executable module to the first executable module, and means for providing the protection service function from the first executable module to the calling executable module. The system according to (23), further comprising: (28) A system for providing a protection service function to an executable module loaded in a memory, wherein the protection service function is subdivided into a first component and a second component. A computing unit adapted to implement the first component in a first executable module, the computing unit further comprising the second component of the protection service function in a second executable module. A system adapted to perform, wherein the first executable module and the second executable module constitute another executable module. (29) A system for providing a protection service function to a caller executable module, the means for providing the protection service function subdivided into a first component and a second component, The first component is implemented in a first executable module, the second component is implemented in a second executable module, and the first executable module and the second executable module are separate executable modules. A means for providing, a means for providing, a means for processing the first executable module and checking the integrity of the second component, and the integrity of the second component has been verified. Sometimes means for initiating the second executable module to execute the second component of the protection service function; and opening the second executable module. Checking the integrity of the first component from the second executable module and processing the second executable module when the integrity of the first component is verified; Means for completing the protection service function by returning a result to either a module or the calling executable module. (30) Further, means for performing a defense measure when the second component fails the integrity check, and performs a defense measure when the first component fails the integrity check. (29). The system according to (29), further comprising: (31) A computer program product including a computer usable medium having therein computer readable program code means for use in monitoring the integrity of an executable module and associated protected service provider (PSP) module. And the PS
A P module providing a protection service function to the executable module, and wherein the computer readable program code means in the computer program product provides a computer with at least one of the PSP module and the executable module from a symbiotic module 1
Computer readable program code means for performing two integrity checks, wherein said symbiotic module comprises:
Said computer readable program code means constituting a separate module from said PSP module, and computer readable program code means for causing a computer to cross check said symbiotic module from code in said PSP module, The computer readable program wherein inspection by the symbiotic module and cross-check by the PSP module together monitor the integrity of at least one of the executable module and the PSP module.
An article of manufacture comprising said computer usable medium, comprising: code means. (32) A computer program product comprising a computer usable medium having therein computer readable program code means for use in providing a protection service function to an executable module loaded in a memory, the computer program product comprising: The protection service function is subdivided into a first component and a second component;
The computer readable program in a program product;
Code means for causing a computer to perform the first component of the protection service function in a first executable module; and code processing means for causing the computer to execute the protection service in a second executable module. Computer readable program code means for causing said second component of function to be implemented;
An article of manufacture comprising the computer program product, wherein the first executable module and the second executable module constitute another executable module. (33) A computer program product comprising a computer usable medium having therein computer readable program code means for use in providing a protection service function to a caller executable module, said computer program product comprising: The computer readable program code means in the product is a computer readable program code means for causing a computer to provide the protection service function subdivided into a first component and a second component; The first component is implemented in a first executable module;
The computer readable program code means, wherein components are embodied in a second executable module, wherein the first executable module and the second executable module constitute another executable module; (I) computer-readable program code means for performing processing of an executable module and integrity checking of the second component; and, when the integrity of the second component is verified, The second
Computer readable program code means for causing a computer to initiate the second executable module to execute a component; and causing the computer to execute the second executable module upon initiation of the second executable module. To perform the integrity check of the first component, process the second executable module when the integrity of the first component is verified, and report the result to the first executable module or the caller. Computer readable program code means for completing the protection service function by returning to any of the executable modules.

[Brief description of the drawings]

FIG. 1 is a block diagram of one embodiment of computer system hardware that uses tamper-resistant testing in accordance with the principles of the present invention.

FIG. 2 shows a monitor / integrity checker 2 according to the principles of the present invention.
FIG. 4 shows a system overview in which the application includes an application GUI 201, application DLLs 202 and 203, interfacing with a protection service provider 210, such as a descrambler for a digital video disc player, both of which are interfaced to the system 04; is there.

FIG. 3 is a flow diagram of one embodiment of a code implemented by a PSP module for integrity checking of symbiotic codes in accordance with the principles of the present invention.

FIG. 4 is a flowchart of one embodiment of an integrity check performed on a PSP module by a symbiotic module in accordance with the principles of the present invention.

FIG. 5 is a flowchart of one embodiment of sharing a protection service function between a PSP module and a symbiotic code, and integrity checking and integrity cross-checking between the PSP module and the symbiotic code, in accordance with the principles of the present invention.

FIG. 6 illustrates, in one embodiment, a first component and a second component implemented in separate threads of execution within a protected service provider module and symbiotic code in accordance with the principles of the present invention.
FIG. 4 illustrates the division of a protection service provider into components.

FIG. 7 is a flow diagram of another embodiment of a shared implementation of a protection service function between a protection service provider module and a symbiotic code, and integrity checking and integrity checking therebetween, in accordance with the principles of the present invention. .

[Explanation of symbols]

REFERENCE SIGNS LIST 100 computer system 102 application program 104 computer platform 105 compiler 106 optimizer 108 operating system 110 micro-instruction code 112 hardware unit 114 random access memory (RAM) 116 central processing unit (CPU) 118 data storage device 200 Application program 201 Application graphical user interface (GUI) 202 Application dynamic link library (D
LL) 203 application DLL 204 monitor / integrity checker 210 protected service provider 500 primary protection service provider module 510 second protection service provider module

 ──────────────────────────────────────────────────続 き Continued on the front page (72) Inventor John Edward Fetkovich USA 13760 Endicott, NY River Terrace 427 Apartment F-3 (72) Inventor George William Wilhelm Jr. United States 13760-1611 New York Endwell, Quarter Catalina Boulevard 705

Claims (33)

[Claims] 1. A method for monitoring the integrity of at least one of an executable module and an associated protection service provider (PSP) module, the PSP module providing a protection service function to the executable module. (I) providing a symbiotic module constituting another module with the PSP module for checking the integrity of the PSP module and at least one of the executable modules; and (ii) Providing code for cross-checking the symbiotic module within the PSP module;
Providing the code, wherein a cross check by an SP module together monitors the integrity of at least one of the executable module and the PSP module. 2. The protection service function of the PSP module is divided into a first component and a second component,
The method further comprises implementing the first component of the protection service function in the PSP module and implementing the second component of the protection service function in the symbiosis module. Item 1
The method described in. 3. The method of claim 2, wherein disabling the symbiotic module disables the protection service function provided by the PSP module to the executable module. 4. The method of claim 1, wherein the protection service function comprises one of a plurality of functions provided by the PSP module to the executable module, and the method further comprises at least some of the plurality of functions. Subdividing each of the functions into a first component and a second component; and for each of the at least some functions, implementing the first component in the PSP module; Performing in the symbiotic module. 5. The method of claim 1, wherein providing the symbiotic module comprises loading the symbiotic module independently of loading the PSP module. 6. The executable module is processed in a system, and the step of loading the symbiotic module comprises the steps of loading the symbiotic module at initialization of the system, followed by the executable module. Loading the PSP module during the same time period as the required protection service function. 7. The method of claim 1, wherein said PSP module further comprises code for monitoring the integrity of said executable module. 8. A method for providing a protection service function to an executable module loaded in a memory, the method further comprising: subdividing the protection service function into a first component and a second component; Implementing the first component of the protection service function in a second executable module, and implementing the second component of the protection service function in a second executable module.
A method wherein the executable module and the second executable module constitute separate executable modules. 9. The first executable module includes a protected service provider module, the second executable module includes a symbiotic module, and the symbiotic module loads the protected service provider module. 9. The method of claim 8, wherein the method is separately loaded. 10. Integrating code for checking the integrity of the symbiotic module with the protection service provider module, and providing code for checking the integrity of the protection service provider module to the protection service provider module. Integrating into a symbiotic module. 11. The method of claim 10, further comprising: introducing the symbiotic module as a device driver that is loaded when an operating system is booted, wherein the operating system oversees execution of the executable module. The method described in. 12. The method according to claim 8, wherein the second executable module supplies a result to the first executable module, and the first executable module provides the protection service function to the executable module. The described method. 13. A method for providing a protection service function to a caller executable module, the method comprising: providing the protection service function subdivided into a first component and a second component. The first
The component is implemented in a first executable module, the second component is implemented in a second executable module,
The providing, wherein the first executable module and the second executable module are separate executable modules; processing the first executable module; and checking the integrity of the second component. Starting the second executable module to execute the second component of the protection service function when the integrity of the second component is verified; and the second executable module. At the start of the second
Checking the integrity of the first component from an executable module, and processing the second executable module when the integrity of the first component is verified, the first executable module or the caller Completing the protection service function by returning a result to any of the executable modules. 14. If the second component fails the integrity check, take defense action in response thereto, and if the first component fails the integrity check, respond in response to the integrity check. 14. The method of claim 13, wherein a defensive action is performed. 15. A system for monitoring the integrity of at least one of an executable module and an associated protection service provider (PSP) module, said PSP module providing a protection service function to said executable module. Means for providing a symbiotic module that constitutes another module with the PSP module for checking the integrity of at least one of the PSP module and the executable module; and within the PSP module. Means for providing a code for cross-checking said symbiotic module with the inspection by the symbiotic module and the cross-check by the PSP module together with at least one of the executable module and the PSP module. One of monitoring the integrity of a system comprising said means. 16. The protection service function of the PSP module is divided into a first component and a second component, and the system further implements the first component of the protection service function in the PSP module. The system of claim 15, comprising: means for performing the second component of the protection service function within the symbiotic module. 17. The apparatus of claim 16, further comprising: means for disabling the protection service function provided by the PSP module to the executable module upon disabling the symbiotic module. system. 18. The protection service function includes one of a plurality of functions provided by the PSP module to the executable module, wherein each of at least some of the plurality of functions is provided. , First
Subdivided into a component and a second component, wherein the system further implements, for each of the at least some functions, the first component in the PSP module and the second component in the symbiotic module. 16. The system of claim 15, including means for implementing within. 19. The system of claim 15, wherein said means for providing a symbiotic module includes means for loading said symbiotic module independently of loading said PSP module. 20. The executable module is supervised by an operating system, and the means for loading the symbiotic module comprises: means for loading the symbiotic module during initialization of the operating system; 20. The system of claim 19, further comprising: means for loading the PSP module at the same time as the protection service function required by the executable module. 21. The system of claim 15, wherein said PSP module further comprises code for monitoring the integrity of said executable module. 22. A system for checking the integrity of at least one of an executable module and an associated protection service provider (PSP) module, said PSP module providing a protection service function to said executable module. A computing unit adapted to implement a symbiotic module for checking the integrity of the PSP module and at least one of the executable modules, wherein the symbiotic module comprises: The computing unit comprising another module, wherein the computing unit is further adapted to implement code for cross-checking the symbiotic module within the PSP module; By PSP module Crosscheck, together, the executable modules and the PS
A system for monitoring the integrity of at least one of the P modules. 23. A method for providing a protection service function to a caller executable loaded into a memory, the protection service function being subdivided into a first component and a second component, Means for implementing the first component of the protection service function in a first executable module, and means for implementing the second component of the protection service function in a second executable module. The first executable module and the second executable module constitute separate executable modules, and the means for performing. 24. The first executable module includes a protected service provider module, the second executable module includes a symbiotic module, and the symbiotic module is loaded separately from the protected service provider module. 24. The system of claim 23, wherein: 25. Means for integrating code for checking the integrity of the symbiotic module with the protection service provider module, and code for checking the integrity of the protection service provider module. Means for integrating the Symbiotic module into the symbiotic module. 26. The apparatus of claim 26, further comprising means for implementing said symbiotic module as a device driver loaded when an operating system is booted, wherein said operating system oversees execution of said executable module. Item 29. The system according to Item 25. 27. A means for providing a result from said second executable module to said first executable module;
Means for providing the protection service function from the first executable module to the caller executable module. 28. A system for providing a protection service function to an executable module loaded in a memory, wherein the protection service function comprises a first component and a second component.
A computing unit subdivided into components and adapted to implement the first component of the protection service function in a first executable module, wherein the computation unit further comprises: A system adapted to implement a second component in a second executable module, wherein the first executable module and the second executable module constitute another executable module. 29. A system for providing a protection service function to a caller executable module, the means for providing the protection service function subdivided into a first component and a second component. Wherein the first component is implemented in a first executable module, the second component is implemented in a second executable module, and the first executable module and the second executable module are separate Means for providing, being an executable module; means for processing the first executable module, for verifying the integrity of the second component; and verifying the integrity of the second component. Means for initiating the second executable module to execute the second component of the protection service function when executed, the second executable module Checking the integrity of the first component from the second executable module at the start of the rule, and processing the second executable module when the integrity of the first component is verified, Means for completing the protection service function by returning a result to either a first executable module or the calling executable module. 30. Means for taking defense action if the second component fails the integrity check;
If the first component fails the integrity check,
Means for performing a defense action.
System. 31. A computer comprising a computer usable medium having computer readable program code means therein for use in monitoring the integrity of an executable module and an associated Protection Service Provider (PSP) module. A program product, wherein the PSP module provides a protection service function to the executable module, and wherein the computer readable program code means in the computer program product comprises: Computer readable program code means for performing an integrity check of at least one of the executable modules, wherein the symbiotic module constitutes a separate module from the PSP module. Computer readable program code means for causing a computer to cross-check the symbiotic module from code in the PSP module, the computer readable program code means comprising: An article of manufacture comprising the computer usable medium, the computer readable program code means including a cross check together for monitoring the integrity of at least one of the executable module and the PSP module. 32. A computer program product including a computer usable medium having therein computer readable program code means for use in providing a protection service function to an executable module loaded in a memory. The protection service function is subdivided into a first component and a second component, and the computer readable program code means in the computer program product causes a computer to execute the protection service in a first executable module. Computer readable program code means for causing the first component of the function to be implemented; and computer readable program code for causing a computer to implement the second component of the protection service function in a second executable module. Means, the first Row possible module and the second executable module constitutes an alternative executable module, article of manufacture containing the computer program product. 33. A computer program product comprising a computer usable medium having therein computer readable program code means for use in providing a protection service function to a calling executable module, the computer program product comprising: The computer readable program code means in the program product is a computer readable program code means for causing a computer to provide the protection service function subdivided into a first component and a second component. hand,
The first component is implemented in a first executable module, the second component is implemented in a second executable module, and the first executable module and the second executable module are separate executable modules. A computer readable program code means for configuring a module; a computer readable program code means for causing a computer to perform the processing of the first executable module and the integrity check of the second component; Computer readable program code for causing a computer to initiate the second executable module to execute the second component of the protection service function when the integrity of the second component is verified. Means, at the start of the second executable module, the computer, the second executable module. To perform the integrity check of the first component from Lumpur, when the integrity of the first component is verified, processing said second executable module,
Computer readable program code means for completing the protection service function by returning a result to either the first executable module or the calling executable module.
Manufactured goods, including program products.